A group of Israeli cybersecurity researchers exploited serious vulnerabilities in the Visual Studio Code (VSCode) Marketplace, using a trojanized extension to infect over 100 organizations.
Visual Studio Code, also commonly referred to as VSCode, is a popular and free source code editor developed by Microsoft for Windows, Linux, macOS, and web browsers and used by a significant percentage of professional software developers around the world.
To demonstrate their findings, the researchers, Amit Assaraf, Itay Kruk, and Idan Dardikman, used the popular Dracula theme named “Dracula Official” (with over +6,000,000 installs) and created their own copycat “Darcula Official”.
After downloading the source code, the researchers added their own code and copied all the marketing resources.
Following this, they were able to get a domain name, darculatheme[.]com, similar to the official draculatheme.com.
This domain was used to become the verified publisher on the VSCode Marketplace to add credibility to the fake extension. The team was able to publish their harmful extension within just 30 minutes.
VSCode Marketplace is the most popular extension market for the integrated development environment (IDE) that allows users to add languages, debuggers, and tools to their installation to support their development workflow.
Not only does the malicious extension use the actual code from the legitimate Darcula theme, but it also includes an added script to extract system information, such as hostname, domain, platform, number of extensions, etc., and sends the data to a remote server via an HTTPS POST request.
According to the researchers, the activity of the ‘Darcula’ extension was not detected by the standard endpoint detection and response (EDR) tools due to VSCode’s design, which allows reading many files, execution of several commands, and creation of child processes, which was treated with leniency.
“Unfortunately, traditional endpoint security tools (EDRs) do not detect this activity (as we’ve demonstrated examples of RCE for select organizations during the responsible disclosure process), VSCode is built to read lots of files and execute many commands and create child processes, thus EDRs cannot understand if the activity from VSCode is legit developer activity or a malicious extension.” – Amit Assaraf
Interestingly, after the extension went live on the VSCode Marketplace, the researchers were able to gain 100+ different victims without promoting the extension or doing anything extraordinary to get developers to install it (When searching “Darcula Theme”).
After a few days on the VSCode Marketplace, the extension was installed by a publicly listed company with a $483 billion dollar market cap, the biggest security firms, and a national justice court network. The researchers chose not to disclose the names of the affected companies.
As the experiment did not have malicious intent, the researchers only collected identifying information and disclosed it in the extension’s Read Me, license, and code.
Using a custom tool named ‘ExtensionTotal’, the researchers analyzed the threat landscape of the VSCode Marketplace and discovered the following high-risk extensions in their initial research:
1,283 extensions with a combined total of 229 million installs
8161Â extensions that communicate with a hardcoded IP address from JS code
1,452Â extensions that run an unknown executable binary or DLL on the host machine.
2,304 are using another publisher’s GitHub repo as their official listed repository, suggesting copycat extensions.
One harmful extension, found in a malicious Visual Studio Code Marketplace in particular, was capable of opening a reverse shell to the cybercriminal’s server.
“As you can tell by the numbers, there are plethora of extensions that pose risks to organizations on the Visual Studio Code marketplace. VSCode extensions are an abused and exposed attack vertical, with zero visibility, high impact, and high risk. This issue poses a direct threat to organizations and deserves the security community’s attention,” the researchers warned.
The researchers responsibly reported all the malicious extensions they detected to Microsoft and requested that they be removed. As of writing this article, many malicious extensions remain available for download via the VSCode Marketplace.
Further, the researchers plan to release their ‘ExtensionTotal’ tool as a free tool for developers to help them scan for potential threats within their environments.
Microsoft has yet to respond to inquiries about the current state of malicious extensions in the Visual Studio Marketplace and how it plans to strengthen its security.
